Talos Vulnerability Report

TALOS-2019-0785

April 8, 2019

CVE Number

CVE-2019-5024

Summary

A restricted environment escape vulnerability exists in the "kiosk mode" function of Capsule Technologies SmartLinx Neuron 2 medical information collection devices running version 6.9.1. A specific series of keyboard inputs can escape the restricted environment, resulting in full administrator access to the underlying operating system. An attacker can connect to the device via USB port with a keyboard or other HID device to trigger this vulnerability.

Tested Versions

Capsule Technologies SmartLinx Neuron 2 6.9.1

Testing was conducted on a legacy version of the software which is no longer supported by Capsule Technologies. However, Talos is aware that the vulnerable version is being used in hospital environments and is therefore releasing this advisory.

Product URLs

CVSSv3 Score

7.6 - CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-693: Protection Mechanism Failure

Details

The Capsule Technologies SmartLinx Neuron 2 is a "bedside mobile clinical computer that enables the automatic collection of vital signs data. It features local data storage, and connects to the hospital network" and "is the core hardware component of Capsule™ medical device information system, according to the manufacturer.

The devices feature a restricted environment, commonly referred to as "kiosk mode," to prevent a user from exiting the running applications and accessing the underlying operating system. It is possible to connect a USB keyboard or other HID device and, through a series of specific keystrokes, escape this restricted environment and access the Microsoft Windows operating system with full administrator permissions. This access could provide an attacker with full control of a trusted device on a hospital's internal network.

Exploit Proof of Concept

Connect a USB keyboard to the device. Entering the following keystrokes will escape the restricted environment and open an operating system command prompt with administrator privileges.

Mitigation

Apply vendor software updates. The current version (10.1) is reportedly unaffected by the vulnerability as described in this advisory.

Restrict physical access to vulnerable devices and ensure they remain outside of the organization's security perimeter. Ensure data or communications from said devices are not implicitly trusted by internal systems. If possible, physically disable or obstruct access to USB ports on vulnerable devices. Monitor logs for signs of connections of unauthorized peripherals to vulnerable devices.